Creating Apple Developer ID-signed Casper QuickAdd installer packages

With 10.8, Apple introduced Gatekeeper as a way to allow users to define which sources they would trust for downloading applications. This functionality was also available by 10.7.x, but not turned on by default.

By default, Gatekeeper allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This restriction also applies to application installers. If a downloaded installer package is not signed with an Apple developer certificate, Gatekeeper treats it as an unknown installer and does not allow it to launch without being manually overridden.

As part of supporting OS X 10.8, Casper 8.6 includes the ability to sign Casper QuickAdd agent installer packages. If you need to have signed QuickAdd packages for your own Casper environment, see below the jump for how to obtain the needed certificates.

6. In Keychain Access, go to the Certificate Assistant and select Request a Certificate from a Certificate Authority.

7. Fill in the User Email Address and Common Name fields as appropriate, select Saved to disk, then click the Continue button.

8. Save the certificate signing request file to an appropriate place.

9. Once the certificate signing request has been saved, go back to your browser and click the Continue button to access the Submit Your Certificate Signing Request page.

10. On the Submit Your Certificate Signing Request page, click the Choose File button and choose the certificate signing request file you just created with Keychain Access.

11. Once the certificate signing request file has been selected, click the Generate button to create the certificate.

12. Once the Developer ID certificate has been generated, download the Developer ID Installer certificate and double-click on it to add it to your 10.7.x or 10.8.x Mac’s login keychain.

Creating a signed QuickAdd package with Recon

1. If not already installed, install JAMF’s Recon application on the 10.7.x or 10.8.x Mac.

Note: If you’re building on a 10.7.x Mac, you may also need to install the Apple Developer ID Certification Authority Intermediate Certificate into the Mac’s system keychain. Instructions on how to that are available here at JAMF Nation.

Hey mate just an FYI, doesn’t seem that this works any more, I needed to cerate a Mac App Store Signing certificate. Have a look at the popup window that Recon gives me when trying to use the Developer Cert https://dl.dropbox.com/u/6841/dev-cert-error.png

It seems now that you need to create a Mac Installer Cert for this to work.

I see the issue; you’re signing an installer that’s intended for distribution in the Mac App Store. That’s a different set of signing certificates than the Developer ID certificates that I’m referencing here.

The Developer ID signing procedure I’m describing is for an installer that’s not going to be posted to the Mac App Store.

Thanks for this post Rich! Just a quick note that on the developer site it only lets you choose “Developer ID Application Certificate” OR “Developer ID Installer Certificate” now. I chose the Installer Certificate and it worked fine for me. Just wanted to share my findings. Thanks again!

FYI – these directions are still good to go. As of this reply you can only select Application Cert or Install Cert…not both like in the screenshot. Also, I couldn’t get it to work with a preexisting cert my company already had laying around. It worked when I did the Cert request from my machine…not sure if that was the key or not, but be sure to make a fresh one from your machine if you’re having trouble.